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ABSTRACT 

Attribute-Based Encryption (ABE) is a powerful crypto¬ 
graphic tool that allows fine-grained access control over data. 
Due to its features, ABE has been adopted in several appli¬ 
cations, such as encrypted storage or access control systems. 
Recently, researchers argued about the non acceptable per¬ 
formance of ABE when implemented on mobile devices. In¬ 
deed, the non feasibility of ABE on mobile devices would 
hinder the deployment of novel protocols and services-that 
could instead exploit the full potential of such devices. How¬ 
ever, we believe the conclusion of non usability was driven 
by a not-very efficient implementation. 

In this paper, we want to shine a light on this concern by 
studying the feasibility of applying ABE on smartphone de¬ 
vices. In particular, we implemented AndrABEn, an ABE 
library for Android operating system. Our library is written 
in the C language and implements two main ABE schemes: 
Ciphertext-Policy Attribute-Based Encryption, and Key- Pol¬ 
icy Attribute-Based Encryption. We also run a thorough set 
of experimental evaluation for AndrABEn, and compare 
it with the current state-of-the-art (considering the same 
experimental setting). The results confirm the possibility 
to effectively use ABE on smartphone devices, requiring an 
acceptable amount of resources in terms of computations 
and energy consumption. Since the current state-of-the-art 
claims the non feasibility of ABE on mobile devices, we be¬ 
lieve that our study (together with the AndrABEn library 
that we made available online) is a key result that will pave 
the way for researchers and developers to design and imple¬ 
ment novel protocols and applications for mobile devices. 
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1. INTRODUCTION 

Attribute-Based Encryption (ABE) is a public key en¬ 
cryption scheme first introduced in 2005 by Sahai and Wa¬ 
ters [17 . In this scheme, both encryption and decryption 
are based on attributes (e.g., age, gender, or job position), 
that can be either related to the private keys of the users, 
or to the ciphertext. A user can restrict access to a spe¬ 
cific piece of data by defining an access policy. As an ex¬ 
ample, an access policy can be expressed as a boolean ex¬ 
pression such as (A A B) V C, where A, B and C are at¬ 
tributes and the possible values for attributes are implic¬ 
itly true or false. Researchers proposed two main types of 
ABE schemes, namely Key-Policy Attribute-Based Encryp¬ 
tion (KP-ABE) [llj and Ciphertext-Policy Attribute-Based 
Encryption (CP-ABE) |7j. 

Compared to the other encryption approaches, ABE 
presents several advantages [14]. First, it allows the data 
owner to apply a fine grained access control over data, based 
on attributes and policies. Second, ABE schemes are scal¬ 
able and independent of the number of authorized users. 
Moreover, ABE by construction is resilient against collu¬ 
sion attacks. Finally, while traditional public key infras¬ 
tructures impose a noticeable communication and storage 
overhead due to the exchange of cryptographical material, 
using ABE the data owner can encrypt data by using a set 
of attributes, without exchanging any certificates or identi¬ 
fying the client 114 . 

Several factors influence the performance of ABE in real 
applications, such as the number of attributes used for defin¬ 
ing an access policy, the desired security level, and the capa¬ 
bilities of the underlying device, in terms of available mem¬ 
ory and CPU speed. Some researchers have already studied 
the feasibility of using ABE on mobile devices 21 ; how¬ 
ever, most of the existing studies do not consider all the 
factors, or actually do not implement ABE on smartphone. 
In 2lj, Wang et al. evaluated the performance of CP-ABE 
and KP-ABE on laptop and smartphone devices. They im¬ 
plemented both schemes by Java language, and evaluated 
different metrics. The authors concluded that the ABE per¬ 
formance is unacceptable on Android smartphone. However, 
the usefulness of ABE in mobile applications is evident, and 
its non feasibility on such devices would be a big obstacle 
to deployment of new services and to benefit from its ad¬ 
vantages. Therefore, obtaining acceptable performance is 
the biggest challenge for guaranteeing the use of ABE on 
resource constraint devices. 



Contribution. 

The contribution of this paper is a comprehensive and 
careful study of the feasibility of ABE operations on An¬ 
droid smartphone devices. In particular, differently from 
what claimed in 
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, we show that it is possible to achieve 
reasonable performance for the main ABE operations, even 
on smartphone devices. We provide AndrABEn, an imple¬ 
mentation of CP-ABE [7] and KP-ABE 11 as a C library 
for Android smartphones. We integrated such library into 
Android using the Android Native Development Kit (NDK) 
tool. We evaluated our implementation, and compared its 
performance with the Java-based study and implementa¬ 
tion prop osed by Wang et al. in their work presented at 
ICC 2014 21 , considering the same experimental setting:]]] 
The results of our thorough evaluation show that the perfor¬ 
mance of our solution is an order of magnitude higher than 
the one in [51]. Accordingly, our results prove that apply¬ 
ing ABE is indeed feasible on current mobile devices, such 
as Samsung Galaxy Nexus smartphone—on which we ran 
our experiments. Finally, we made the AndrABEn library 
freely available [l for researchers and developers. 


Organization. 

The rest of the paper is organized as follows. In Section 
[2] we present some related work. In Section [3] we introduce 
the preliminaries and background on ABE. In Section [4] 
we present AndrABEn, our proposed implementation for 
CP-ABE and KP-ABE, and provide an analysis of its per¬ 
formance. We also discuss and compare our results with the 
ones in [51]. Finally, in Section [5] we draw our conclusions. 


2. RELATED WORK 

Due to the increasing use of mobile devices, evaluating the 
performance of cryptographic algorithms on mobile devices 
is an important issue that has been considered in several 
research studies 9,13, 18] 20 . As an example, Braga and 
Nascimento [5] evaluated the feasibility of cryptographic al¬ 
gorithms on Android smartphone devices. They assessed the 
portability of cryptographic libraries on a Samsung i9100 
and measured the performance of applying these libraries 
on the Android devices; however, in their analysis they did 
not consider ABE. 

Recently, the concept of ABE has been used in various 
schemes to deal with data confidentiality, privacy and access 
control issues. Unfortunately, most of these research stud¬ 
ies did not evaluate the actual feasibility of adopting ABE 
in their proposed approaches. However, few researchers fo¬ 
cused on such assessment; we discuss some of them in the 
following. 

In [6], Baden et al. presented Persona, an Online Social 
Network, where users are able to hide their personal infor¬ 
mation. They provided privacy by encrypting data with 
ABE. They implemented their solution on a first generation 
iPhone device, by cross-compiling the cpabe library [5j and 
its dependencies for the iPhone SDK 2.2.1. They obtained 
an average decryption and encryption time of 254 ms and 
926 ms respectively, considering access structures containing 
one to five attributes. However, the authors did not provide 
an implementation of ABE on the Android smartphone. 


x We re-implemented the proposal in 
ability of the original source code. 
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due to the unavail- 


Along the same line of studies, we also proposed a system 
for efficient software updates distribution, over untrusted 
distribution networks in [5]. We used CP-ABE to guarantee 
flexible access control. In this work, we only provided eval¬ 
uations measured on a laptop device with two 2.4 GHz Intel 
Core 2 Duo CPUs. Based on our experimental results, the 
CP-ABE encryption and decryption time for five attributes 
are 77.47 ms and 32.62 ms, respectively. We realized that 
not providing a proper feasibility assessment is a big limita¬ 
tion for this type of proposals. In this paper, we aim to fill 
this gap and pave the way for developing further solutions 
assuming the feasibility of ABE for mobile devices. 

A study similar to the one we are going to discuss in this 
paper was carried out in [5l . The authors evaluated the 
performance of CP-ABE and KP-ABE in terms of execu¬ 
tion time, data overhead, energy consumption, CPU and 
memory usage. They implemented these two ABE schemes 
using Java on a laptop with a 1.60 GHz Intel Quad-Core i7 
2677M CPU and a smartphone runs Android 4.04 with a 
1.60 GHz Intel Atom Z2460. The authors stated that ap¬ 
plying ABE on Android smartphone devices is not practical 
with acceptable performance. In this paper, we show that 
this conclusion mostly depends on the specific implementa¬ 
tion provided in [51], and it does not hold in general. 

Finally, in l5] Green et al. proposed an alternative ap¬ 
proach for efficient ABE decryption. In their solution, a 
part of the ABE decryption is outsourced to a third party 
cloud, highly reducing the load on the client device. How¬ 
ever, while representing a good option to facilitate the ABE 
operations on devices with limited resources, this solution 
requires additional resources compared to in-device decryp¬ 
tion, such as a third-party cloud entity, as well as Internet 
connectivity. 

To the best of our knowledge, we are the first that show 
the reasonable performance of ABE on Android devices, 
and provide a publicly available implementation for Android 
smartphone devices 1 . Indeed, existing ABE implementa¬ 
tions for Android showed a high computation overhead on 
mobile platforms |19| |21 . We prepared and cross-compiled 
two ABE C libraries, to be used on the Android mobile de¬ 
vices, thus proving the feasibility of such schemes on this 
platform. While we leave this as a future work, we expect 
that AndrABEn can be easily extended for other mobile 
devices and Internet of Things (IoT) devices. 

3. BACKGROUND ON ABE 

This section provides the fundamentals of Key-Policy 
ABE (KP-ABE) ll], and Ciphertext-Policy ABE (CP¬ 
ABE) [7]. Both CP-ABE and KP-ABE, are public key 
schemes. In a KP-ABE scheme, the data owner encrypts 
the data specifying a set of attributes. Each user owns a 
private key D that reflects a specific policy. She will be able 
to decrypt a ciphertext if and only if the attributes embed¬ 
ded into the ciphertext satisfy the policy in D. It consists 
of four functions: 

• Setup. It takes as input an implicit security param¬ 
eter and outputs the public parameter pk ABE , and a 
master key mk ABE . 

• Encryption. It takes as input a message M, a set 
of attributes 7, and the public parameter pk ABE , and 
outputs the ciphertext E. 






• KeyGen. It takes as input an access policy A , the 
master key mk ABE and the public parameter pk ABE . 
It outputs a decryption key D reflecting the given pol¬ 
icy. 

• Decryption. It takes as input the ciphertext E that is 
encrypted under the set of attributes 7 ; the decryption 
key D, that represents the access policy A; and the 
public parameter pk ABE . It outputs the message M if 
and only if 7 “satisfies” the access policy A. 

Different from KP-ABE, in the CP-ABE scheme, the data 
owner encrypts her data enforcing an access policy. Users 
are provided with private keys representing a set of at¬ 
tributes. Only users having attributes that satisfy an access 
policy will be able to decrypt the ciphertext. A CP-ABE 
scheme provides the following functions: 

• Setup. It takes as input an implicit security param¬ 
eter and outputs the public parameter pk ABE , and a 
master key mk ABE . 

• Encryption. It takes as input a message M, an ac¬ 
cess policy A, and the public parameter pk ABE , and 
outputs the ciphertext E. 

• KeyGen. It takes as input a set of attributes 7 , the 
master key mk ABE and the public parameter pk ABE . 
It outputs a decryption key D reflecting the given at¬ 
tributes. 

• Decryption. It takes as input the ciphertext E that 
is encrypted under the access policy A; the decryption 
key D representing a set of attributes 7 ; and the public 
parameter pk ABE . It outputs the message M if and 
only if 7 “satisfies” the access policy A. 

Similar to other pairing-based schemes, the complexity of 
CP-ABE and KP-ABE depends on the number of exponen¬ 
tiations and pairing operations performed by each of their 
algorithms |15]. In the CP-ABE scheme [7] , the efficiency of 
the KeyGen algorithm depends on the number of attributes 
to be applied to the newly generated key. Herein, the al¬ 
gorithm performs two exponentiations for each attribute. 
Similarly, the Encryption operation requires two exponen¬ 
tiations for each attribute in the specified policy. The same 
complexity is required also by the KeyGen and Encryp¬ 
tion operations in the KP-ABE scheme [ll]. However, the 
efficiency of the Decryption function for CP-ABE mainly 
depends on how the policy enforced on the ciphertext and 
on the private key used for its decryption. This makes an 
estimation of the complexity of such operation a non triv¬ 
ial task [7’. The same holds for the KP-ABE Decryption 
operation, which strongly depends on the attributes set and 
the access policy specihed in the ciphertext and the private 
key, respectively. 

4. ANDRABEN: IMPLEMENTATION AND 
ANALYSIS 

In this section, we provide an in-depth analysis of the 
performance of AndrABEn (Section |4.1| ), and a comparison 
with the implementation in 21 (Section |4.2[). 


4.1 Performance Evaluation 

Our ABE implementation l] comprises two libraries: the 
cpabe library [ 2 ], which implements the scheme proposed by 
Bethencourt et al. in [ 7 ], and a publicly available custom im¬ 
plementation [ 3 ] of the KP-ABE scheme proposed by Goyal 
et al. in jll . The original code has been slightly modified, 
in order to be integrated into Android mobile devices. Both 
libraries employ Type A pairings provided by the PBC li¬ 
brary [2]. Type A pairings are built on top of an elliptic 
curve: y 2 = x 3 + x over a finite field F q , for some prime 
q = 3 mod 4, and have a fixed embedding degree k = 2 [l6j. 
Therefore, the security strength of the scheme can be tuned 
by modifying two parameters: the size of the field q, and 
the prime order r of the base point P £ E{F q ) [2l]. Ta- 
blc[T]shows the security level of both CP-ABE and KP-ABE 
schemes, according to 10 . 


Security level bits 

80 

112 

128 

bit length of r 

160 

224 

256 

bit length of q 

512 

1024 

1536 


Table 1: Security strength of CP-ABE and KP-ABE. 


AndrABEn is implemented on Android 4.3, “Jelly 
Beam”. We carried out our experimental evaluation on a 
Samsung Galaxy Nexus device (1.2 GHz dual-core ARM 
Cortex-A9 CPU, 1 GB RAM). For completeness and com¬ 
parison, we also tested our libraries on a laptop device 
(Ubuntu 14.4 LTS, 1.8 GHz 4x Intel Core™ i7-4500U CPU, 
8 GB RAM). 


We evaluated KeyGen, Encryption and Decryption 
operations, varying the number of attributes adopted from 
one to 30. We consider this range to be representa¬ 
tive enough for a wide range of real world applications of 
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ABE _ 

We tested both ABE schemes with security levels of 80, 
112 and 128 bits, and measured average execution time, 
CPU and memory utilization, and energy consumption on 
mobile devices. Note that, as in other public key schemes, 
in ABE the actual encryption of the ciphertext is performed 
by means of a symmetric key, which is in turn encrypted 
with the public key. Therefore, we evaluate both encryption 
and decryption operations performed on a symmetric key. 
This makes our analysis independent from the size of the 
ciphertext. 


Execution Time. 

Figure [T] presents the average time overhead for Encryp¬ 
tion and Decryption operations for both CP-ABE and 
KP-ABE schemes. The results are presented for both An¬ 
droid and Laptop devices. They have been obtained as an 
average of 100 executions for each operation, varying the 
number of employed attributes and adopting different levels 
of security. 

As we can see in Figure [l] in general, the time required 
to perform each operation depends directly on the number 
of attributes that are used. Adopting a security value of 
80 bits (which is reasonable for several medium-level secu¬ 
rity applications ||) the CP-ABE Encryption operation 
remains under 4 s on the Android smartphone. Similarly, 
the CP-ABE KeyGen operation requires less than 2 s to 
be executed. However, adopting a security level of 112 or 
128 bits, the time overhead imposed by CP-ABE on Android 
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Figure 1: Average execution time (and std. deviation in Figure 2: Average RAM usage for CP-ABE and KP-ABE 
errorbar) for main CP-ABE and KP-ABE algorithms. on Android smartphone. 


smartphone is much higher, while we argue being still usable 
for non-interactive applications (e.g., encrypted data to be 
uploaded to a cloud storage service). Indeed, in such appli¬ 
cations the encryption could be carried out in a background 
process. For KP-ABE, however, the time required to per¬ 
form the various operations is lower, and even the adoption 
of a security level of 128 bits is feasible on Android smart¬ 
phone. On laptop, the evaluation results confirm the prac¬ 
ticality of both CP-ABE and KP-ABE schemes, requiring a 
reasonable time for both KeyGen (<2 s), and Encryption 
(<2 s) operations. 

CPU utilization. 

We measured CPU utilization on Android smartphone 
by collecting the required information from the system hies 
/proc/stat, and /proc/[pid]/stat, where pid is the id of 
the application’s process. The CPU utilization remains un¬ 
der 50% for each of the three operations, for both CP-ABE 
and KP-ABE, i.e., the operations fully utilize one of the two 
CPUs provided by the underlying platform. 

Memory utilization. 

We measured the average memory space required by An- 
drABEn, adopting a range between one to 30 attributes. 
We realized that our implementations utilize between 13.5 
and 14.5 MBytes of RAM space. We argue that such amount 
is acceptable for modern smartphones such as the Samsung 
Galaxy Nexus—used in our experiments. 

To better understand the behavior of AndrABEn in large 
scale scenarios, we also measured the average memory con¬ 


sumption employing 10, 100 and 1000 attributes. Figure [2] 
shows the obtained results. As expected, the amount of re¬ 
quired RAM grows with the number of employed attributes. 
Here, one of the main advantages of running CP-ABE and 
KP-ABE on native code is the possibility to manage the 
heap usage directly, without relying on the Dalvik VM. In¬ 
deed, in such case the use of the expensive garbage collector 
significantly slows down the overall execution 19 . 

Energy Consumption. 

Energy consumption is a major concern in mobile devices. 
Therefore, a desirable implementation of a cryptographic 
tool for mobile devices, should consume as less energy as 
possible. We measured the average energy consumption for 
each of the CP-ABE and KP-ABE operations, by using the 
well-known PowerTutor Android application [22]. Figure [3] 
shows the obtained results. As we can see, with a security 
level of 80 and 112 bits, the energy required by both schemes 
remains low, making their use suitable on smartphones. 

4.2 Discussion 

In what follows, we provide a brief comparison of our pro¬ 
posal, AndrABEn, against the implementation proposed 
in [5T], on the Android platform. 

Unfortunately, the code used in [2T does not seem to 
be publicly available. Moreover, in [2l], the authors per¬ 
formed their evaluation on a device (and a specific proces¬ 
sor in smartphone) which is not easily available anymore 
(an Android smartphone with a 1.60 GHz Intel Atom Z2460 
processor and 1 GB RAM). For these reasons, to compare 
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Figure 3: Average energy consumption for CP-ABE and 
KP-ABE on Android smartphone. 


with the implementation proposed in 21 , we can only rely 


on the numbers reported in [21] itself. Most of the discus¬ 
sion that follows is based on this approach. Moreover, for a 
further validation we also re-implemented the solution pro¬ 
posed in [21] and performed some additional comparison. As 
a side note we observe that, since our implementation is sin¬ 
gle threaded, it does not take advantage from the dual-core 
CPU of the device we used for our measurements. Further¬ 
more, both the device we adopted and the one used in [2l] 
are equipped with the same RAM memory (i.e., 1 GB). 

As shown in Figure [l] the execution time for both CP- 
ABE and KP-ABE with AndrABEn is significantly lower 
compared to the results reported in [21 . In particular, 
the CP-ABE key generation with AndrABEn requires 
less than 30 s, while with the implementation proposed 
in 21 , key generation requires around 200 s. Similarly, An¬ 
drABEn performs CP-ABE encryption and decryption in 
less than 30 s and 20 s, respectively, while in the implemen¬ 
tation proposed in 21 , encryption and decryption opera¬ 


tions take on average 70 s and 80 s, respectively. Moreover, 
the average execution time reported in j2l] for all the three 
main KP-ABE operations, considering 26 attributes and a 
security level of 128 bits, is ~ 45 s for encryption, while 
decryption and key generation operations require between 
« 90 s and « 110 s. Instead, our AndrABEn implemen¬ 
tation of KP-ABE requires a considerably lower execution 
time for each of the main operations, i.e., 12 s for decryp¬ 
tion (Figure [Tf[. and 3 s for encryption (Figure [Id] and key 
generation (Figure |lb|). 


In order to compare the energy consumption of An¬ 
drABEn (which is illustrated in Figure [3] with the im¬ 
plementation proposed in [21 for CP-ABE, let us consider 
10 attributes and a security level of 128 bits. With An¬ 
drABEn, each of the main CP-ABE operations, i.e., key 
generation, encryption and decryption, consumes almost 5 J, 
while with the implementation proposed in [2l], key genera¬ 
tion consumes between 70 J and 100 J, and encryption and 
decryption operations consume 30 J and 40 J, respectively. 
Furthermore, compared to AndrABEn, also the KP-ABE 
implementation of key generation, encryption and decryp¬ 
tion provided in 21 require a considerably higher amount 
of energy. Indeed, while our implementation of the three 
main KP-ABE operations requires less than 5 J, the imple¬ 
mentation in [21 requires between 15 J and 40 J. 
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Figure 4: Comparison between the CP-ABE implementation 
of AndrABEn and in [2l| . 


The comparison reported up to this point considered di¬ 
rectly the performance results reported in [21 . However, for 
a further validation we also developed our own Java-based 
implementation of the CP-ABE scheme in [T], following the 
specifications reported in 21 . We evaluated our Java imple¬ 
mentation (which we believe being similar to the one used 
in [2l], for which code is not available) on the same device we 
used to evaluate AndrABEn. Due to space limitations, we 
only provide a comparison of the different execution time for 
the two solutions, which is presented in Figure [4] As we can 
see, the execution time for CP-ABE with AndrABEn is sig¬ 
nificantly lower compared to the results obtained with our 
Java based implementation, that in turn presents results 
that are consistent with the ones provided in ;21 . As an ex¬ 
ample, let us consider the execution time obtained with 25 
attributes and a security level of 128 bits. Our CP-ABE An¬ 
drABEn implementation requires «25 s to perform the key 
generation, while the Java-based implementation requires 
«360 s to perform the same task. Similarly, the CP-ABE 
encryption and decryption operations with AndrABEn re¬ 
quire on average «26 s and «19 s, while our Java-based im¬ 
plementation performs encryption and decryption in «340 s 
and «172 s, respectively. 





































































































Overall, we can conclude that, compared with the ap¬ 
proach discussed in 21 , AndrABEn provides significantly 
better performance, in terms of execution time, memory and 
CPU usage, and energy consumption. 


5. CONCLUSION 

With the increasing use of cloud environment and smart 
devices connected to the Internet of Things, exchanged data 
confidentiality and access control to the stored data become 
a challenging issue. Attribute-Based Encryption is one of the 
best solutions that can be used to satisfy users privacy con¬ 
cerns [51]. However, its performance on resource constraint 
devices is a challenging issue, and still represents a big con¬ 
cern for researchers willing to use ABE to develop novel 
privacy-preserving and access control solutions for such de¬ 
vices. 

In this paper, we studied the feasibility of applying ABE 
on smartphone devices and presented AndrABEn, an im¬ 
plementation of ABE in C language. We also provided a 
comparative analysis with a similar research study [21 in 
which the authors proposed a Java-based implementation 
of ABE for Android smartphone. Based on the results of 
our thorough experiments, we conclude that using ABE on 
Android smartphones and similar devices is feasible. The 
evidence that we bring in this paper will be a reference for 
applicability of ABE in resource-constrained devices. 
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